Rule documentation

Common Weakness Enumeration mapping

Written by Gabriele Gallo Stampino
Updated over a week ago

What types of rules are supported by Clayton?

Choose your rules from our catalog

Written by Gabriele Gallo Stampino
Updated over a week ago

Passwords set programmatically

Detect instances in which users password are programmatically set.

Written by Gabriele Gallo Stampino
Updated over a week ago

Flow Access Restriction

Detect Flows without any access restriction (either by a profile nor by a permission set).

Written by Gabriele Gallo Stampino
Updated over a week ago

Email spamming risk

Detect instances in which is possible to send emails without any control, straight invokable from end users.

Written by Gabriele Gallo Stampino
Updated over a week ago

Insecure sharing to external users

Written by Gabriele Gallo Stampino
Updated over a week ago

Server-side Payload Injection

Written by Gabriele Gallo Stampino
Updated over a week ago

User Registration Without Limits

Written by Gabriele Gallo Stampino
Updated over a week ago

LWC Clickjacking on CSS

Detect components that are vulnerable to Clickjacking.

Written by Gabriele Gallo Stampino
Updated over a week ago

Import of sensitive fields in Lightning Web Components (LWC)

Written by Gabriele Gallo Stampino
Updated over a week ago

Direct DOM manipulation in Lightning Web Components (LWC)

Detect LWC templates that use direct DOM manipulation and bypass the secure Shadow DOM provided by the Lightning Web Components

Written by Gabriele Gallo Stampino
Updated over a week ago

Sensitive information storage

Detect when sensitive information like tokens, secrets are stored insecurely.

Written by Gabriele Gallo Stampino
Updated over a week ago

Sensitive information logging

Inspect the data model definition, and ensure sensitive information isn’t logged or exposed unsafely to avoid data leaks.

Written by Gabriele Gallo Stampino
Updated over a week ago

Excessive data access permissions

Detects the use of "ViewAllData" and "ViewAllRecords" in profiles.

Written by Gabriele Gallo Stampino
Updated over a week ago

Subresource integrity

Detect subresource integrity vulnerabilities.

Written by Gabriele Gallo Stampino
Updated over a week ago

Content Security Policy (CSP)

Make sure that resources used by Visualforce or Lightning components are retrieved securely in accordance to your Content Security Policy.

Written by Lorenzo Frattini
Updated over a week ago

Insecure endpoints

Ensure HTTP callouts use secured endpoints (HTTPS) to protect your application and users from attack.

Written by Lorenzo Frattini
Updated over a week ago

Named credentials

Enforce using named credentials instead of manually hard-wiring credentials when performing HTTP requests.

Written by Lorenzo Frattini
Updated over a week ago

Randomization of cryptographic keys

Detect uses of cryptography with hard-wired keys, so that the security of encrypted data is not compromised.

Written by Lorenzo Frattini
Updated over a week ago

Call to blocklisted method

Detects any call to a method that is part of a block list.

Written by Gabriele Gallo Stampino
Updated over a week ago

Identify methods with global visibility

Detects methods that can be referenced from outside a managed package.

Written by Gabriele Gallo Stampino
Updated over a week ago

Asynchronous methods in loops

Prevent the use of asynchronous Apex methods (@future) inside loops, to help your application cope with larger volumes of data properly.

Written by Lorenzo Frattini
Updated over a week ago

Boundaries on SOQL statements

Ensure all SOQL statements are either bound by either a LIMIT or by a WHERE clause.

Written by Lorenzo Frattini
Updated over a week ago

Bulkification of triggers

Ensure your Apex triggers can process data in bulks and properly deal with larger volumes.

Written by Lorenzo Frattini
Updated over a week ago

Business logic in triggers

Detect the presence of non-trivial business logic inside Apex triggers.

Written by Lorenzo Frattini
Updated over a week ago

Metadata API recency

Ensure your components are up to date with a recent enough version of the Salesforce API.

Written by Lorenzo Frattini
Updated over a week ago

Multiple triggers per object

Detect multiple triggers on the same object, and prevent non-deterministic behaviours.

Written by Lorenzo Frattini
Updated over a week ago

Nested IFs

Keep your code easy to read and test by containing the use of nested conditional structures.

Written by Lorenzo Frattini
Updated over a week ago

Number of arguments per method

Limit the number of arguments allowed for each method to keep your code easy to read and maintain.

Written by Lorenzo Frattini
Updated over a week ago

Number of methods per class

Limit the number of methods allow per each Apex class, to encourage good design.

Written by Lorenzo Frattini
Updated over a week ago

Send email in loops

Prevent uses of Messaging.sendEmail inside loops, to reduce the risk of running into governor limits.

Written by Lorenzo Frattini
Updated over a week ago

Non-selective SOQL queries on large objects

Detect potentially slow queries when working with large objects.

Written by Gabriele Gallo Stampino
Updated over a week ago

Direct access utility class

Detects any direct usage of SOQL in Apex classes.

Written by Gabriele Gallo Stampino
Updated over a week ago

Data manipulation utility class

Detects any direct usage of DML methods in Apex Classes.

Written by Gabriele Gallo Stampino
Updated over a week ago

CRUD and Field-Level Security

Ensure that CRUD permissions and Field-Level Security are enforced in Visualforce and Lightning, to avoid exposing sensitive data.

Written by Lorenzo Frattini
Updated over a week ago

Data access in loops

Prevent the use of any SOQL or DML inside loops to help your application cope with larger volumes of data properly.

Written by Lorenzo Frattini
Updated over a week ago

Data manipulation in constructors

Prevent all constructors from writing in to the database, so that creation of objects does not have any data-altering side-effects.

Written by Lorenzo Frattini
Updated over a week ago

Exception handling

Enforce the presence of a try/catch block to handle possible exceptions around DML statements.

Written by Lorenzo Frattini
Updated over a week ago

Sharing

Ensure proper sharing behaviour on classes that access data or expose it data in views or APIs.

Written by Lorenzo Frattini
Updated over a week ago

Transaction control

Enforce the use of transaction control (savepoints and rollbacks) when multiple database operations are performed within the same block.

Written by Lorenzo Frattini
Updated over a week ago

Description on custom fields

Require a description on all custom fields for both standards and custom objects.

Written by Lorenzo Frattini
Updated over a week ago

Hardcoded IDs in code

Detect any hardcoded record IDs in your Lightning controllers and Apex classes and triggers.

Written by Lorenzo Frattini
Updated over a week ago

Hardcoded IDs in configuration

Detect any hardcoded record IDs inside configuration fields such as formulas.

Written by Lorenzo Frattini
Updated over a week ago

Inline JavaScript

Prevent the use of inline JavaScript to ensure proper separation of concern between model and view in your Lightning components.

Written by Lorenzo Frattini
Updated over a week ago

Unsafe JavaScript

Prevent any use of the unsafe eval method in your Lightning controllers to reduce security risk

Written by Lorenzo Frattini
Updated over a week ago

Naming conventions on Aura Controller Property

Keep your Aura property names consistent and easy to read and maintain.

Written by Gabriele Gallo Stampino
Updated over a week ago

Naming conventions on Apex classes

Keep your class names consistent, easier to read and maintain.

Written by Lorenzo Frattini
Updated over a week ago

Naming conventions on Apex triggers

Keep your trigger names consistent, easier to read and maintain.

Written by Lorenzo Frattini
Updated over a week ago

Naming conventions on Apex methods

Keep your method names consistent, easier to read and maintain.

Written by Lorenzo Frattini
Updated over a week ago

Naming conventions for Apex variables

Keep your variable names consistent, easier to read and maintain.

Written by Lorenzo Frattini
Updated over a week ago

Inactive Workflow Rules

workflow rules that are inactive and therefore can be removed.

Written by Gabriele Gallo Stampino
Updated over a week ago

Inactive Workflows

Find workflows that don't contain any active rules.

Written by Gabriele Gallo Stampino
Updated over a week ago

Possibly Unexposed Object Fields

Highlight object fields that are not directly included in any views, nor retrieved by any queries.

Written by Gabriele Gallo Stampino
Updated over a week ago

Possibly Unused Apex Triggers

Highlight triggers that are not directly invoked by code.

Written by Gabriele Gallo Stampino
Updated over a week ago

Optimized loading of resources

Make sure any inclusion of static resources such as scripts or stylesheets leverage the appropriate built-in optimizations.

Written by Lorenzo Frattini
Updated over a week ago

Unnecessary code detection

Detect unused or empty methods, interfaces that are never implemented, and more unnecessary code.

Written by Lorenzo Frattini
Updated over a week ago

Identify test coverage cheats

Detect methods that have been introduced as an attempt to cheat test coverage.

Written by Gabriele Gallo Stampino
Updated over a week ago

Assertions with comments

Use this rule to ensure all assertions include explanatory comments.

Written by Lorenzo Frattini
Updated over a week ago

Minimum number of assertions

Enforce a requirement on the minimum number of assertions for any test methods.

Written by Lorenzo Frattini
Updated over a week ago

Test data isolation

Ensure that test methods create their own data and don't access actual data in your org.

Written by Lorenzo Frattini
Updated over a week ago

Untested methods

Identify Apex methods that aren't covered by any unit tests.

Written by Lorenzo Frattini
Updated over a week ago

Use of @IsTest annotation

Keep your test cleaner using the @IsTest annotation, instead of using the deprecated testMethod keyword.

Written by Lorenzo Frattini
Updated over a week ago

Use of test data factories

Ensure test data are created using factory methods, to limit the code maintenance needed when changing validation rules.

Written by Lorenzo Frattini
Updated over a week ago

Salesforce1 compatibility in Visualforce

Ensure your Visualforce customizations work on the Salesforce1 mobile app.

Written by Lorenzo Frattini
Updated over a week ago

User-friendly messages in Visualforce

Ensure that Visualforce pages and components display errors in a user-friendly manner.

Written by Lorenzo Frattini
Updated over a week ago

Visualforce view state optimization

Keep the size of the Visualforce view state lean, in order to minimize loading times and avoid hitting governor limits.

Written by Lorenzo Frattini
Updated over a week ago

Third-party component with known vulnerability

Detect Javascript libraries that might expose your application to known vulnerabilities.

Written by Gabriele Gallo Stampino
Updated over a week ago

Arbitrary Page Redirect

Detect statements that might expose your app to Arbitrary Page Redirect vulnerability.

Written by Lorenzo Frattini
Updated over a week ago

Cross-Site Scripting (XSS)

Detect expressions that might be vulnerable to Cross-Site Scripting (XSS) in Apex, Visualforce and Lightning components.

Written by Lorenzo Frattini
Updated over a week ago

Cross-Site Request Forgery (CSRF)

Detect Cross-Site Request Forgery vulnerabilities in your Salesforce app.

Written by Lorenzo Frattini
Updated over a week ago

Insecure Direct Object References

Detect insecure direct object references (DOR) and avoid accidentally exposing sensitive data in your app.

Written by Lorenzo Frattini
Updated over a week ago

SOQL/SOSL Injection

Ensure user-supplied input is sanitized before using it in dynamic SOQL or SOSL queries.

Written by Lorenzo Frattini
Updated over a week ago

Inactive flows and processes

Detects flows and processes that are left in the metadata, although they are no longer active.

Written by Gabriele Gallo Stampino
Updated over a week ago

Inactive validation rules

Detects validation rules that are left in the metadata, although they are no longer active.

Written by Gabriele Gallo Stampino
Updated over a week ago

Objects with an excessive number of custom fields

Detects objects with an excessive number of custom fields, which makes them hard to maintain.

Written by Gabriele Gallo Stampino
Updated over a week ago

High complex flows and processes

Detects processes with an excessive number of decisions, which makes them hard to test and maintain.

Written by Gabriele Gallo Stampino
Updated over a week ago

High complex Apex methods

Detect methods with that are excessively complex and that are therefore hard to maintain.

Written by Gabriele Gallo Stampino
Updated over a week ago

High complex Apex files

Detect Apex files that are excessively complex and that are therefore hard to maintain.

Written by Gabriele Gallo Stampino
Updated over a week ago